Can if function be used with sort?

kamryn · ‎07-29-2019

I am working on a dashboard that has a radio button that can change a search between the two of the following

| stats count by fieldA

or

| stats dc(fieldA)

At the end of this search I would like to have a sort based on whether or not count or distinct count is being used.

sort - count

or

sort - distinct_count

Is this something that I can accomplish using the if function? The following is a non functional example of what I would like to do something like.

if(count==disctinct_count, sort - distinct_count, sort - count)

Thank you for any insight you might have.

sandeepmakkena · ‎10-16-2019

| eval sort_field = if(count==disctinct_count, distinct_count, count)
| sort -sort_field

You can try this.
Hope this helps, Thanks!

jacobpevans · ‎07-29-2019

No, there is no way to do this that I'm familiar with.

Could you just try changing one of the stats functions to rename the field? E.g. change:

| stats dc(fieldA)

to

| stats dc(fieldA) as count

then, keep the normal sort

| sort - count

Cheers,
Jacob

If you feel this response answered your question, please do not forget to mark it as such. If it did not, but you do have the answer, feel free to answer your own post and accept that as the answer.

Can if function be used with sort?

Observability Unlocked: Kubernetes Monitoring with Splunk Observability Cloud

Update Your SOAR Apps for Python 3.13: What Community Developers Need to Know

October Community Champions: A Shoutout to Our Contributors!

Are you a member of the Splunk Community?

Can if function be used with sort?

Observability Unlocked: Kubernetes Monitoring with Splunk Observability Cloud

Update Your SOAR Apps for Python 3.13: What Community Developers Need to Know

October Community Champions: A Shoutout to Our Contributors!